Security

Cloudflare Stops New World's Largest DDoS Attack Over Labor Day Weekend (zdnet.com) 21

An anonymous reader quotes a report from ZDNet: Over the Labor Day weekend, Cloudflare says it successfully stopped a record-breaking distributed denial-of-service (DDoS) attack that peaked at 11.5 terabits per second (Tbps). This came only a few months after Cloudflare blocked a then all-time high DDoS attack of 7.3 Tbps. This latest attack was almost 60% larger.

According to Cloudflare, the assault was the result of a hyper-volumetric User Datagram Protocol (UDP) flood attack that lasted about 35 seconds. During that just more than half-minute attack, it delivered over 5.1 billion packets per second. This attack, Cloudflare reported, came from a combination of several IoT and cloud providers. Although compromised accounts on Google Cloud were a major source, the bulk of the attack originated from other sources.

The specific target of this attack has not been publicly disclosed, but we can be sure the intent was to overwhelm the victim's network and render online services inoperative. Cloudflare says its globally distributed, fully autonomous DDoS mitigation network detected and neutralized the threat in real time, without notable impact on customer services or requiring manual intervention. This operation highlights both the rising sophistication of attack methods and the resilience of modern internet infrastructure defenses, especially Cloudflare's use of real-time packet analysis, fingerprinting, and rapid threat intelligence sharing across its network.

Bug

Frostbyte10 Bugs Put Thousands of Refrigerators At Major Grocery Chains At Risk (theregister.com) 43

An anonymous reader quotes a report from The Register: Ten vulnerabilities in Copeland controllers, which are found in thousands of devices used by the world's largest supermarket chains and cold storage companies, could have allowed miscreants to manipulate temperatures and spoil food and medicine, leading to massive supply-chain disruptions. The flaws, collectively called Frostbyte10, affect Copeland E2 and E3 controllers, used to manage critical building and refrigeration systems, such as compressor groups, condensers, walk-in units, HVAC, and lighting systems. Three received critical-severity ratings. Operational technology security firm Armis found and reported the 10 bugs to Copeland, which has since issued firmware updates that fix the flaws in both the E3 and the E2 controllers. The E2s reached their official end-of-life in October, and affected customers are encouraged to move to the newer E3 platform. Upgrading to Copeland firmware version 2.31F01 mitigates all the security issues detailed here, and the vendor recommends patching promptly.

In addition to the Copeland updates, the US Cybersecurity and Infrastructure Security Agency (CISA) is also scheduled to release advisories today, urging any organization that uses vulnerable controllers to patch immediately. Prior to these publications, Copeland and Armis execs spoke exclusively to The Register about Frostbyte10, and allowed us to preview an Armis report about the security issues. "When combined and exploited, these vulnerabilities can result in unauthenticated remote code execution with root privileges," it noted. [...] To be clear: there is no indication that any of these vulnerabilities were found and exploited in the wild before Copeland issued fixes. However, the manufacturer's ubiquitous reach across retail and cold storage makes it a prime target for all manner of miscreants, from nation-state attackers looking to disrupt the food supply chain to ransomware gangs looking for victims who will quickly pay extortion demands to avoid operational downtime and food spoilage.

Security

Hackers Threaten To Submit Artists' Data To AI Models If Art Site Doesn't Pay Up (404media.co) 32

An old school ransomware attack has a new twist: threatening to feed data to AI companies so it'll be added to LLM datasets. 404 Media reports: Artists&Clients is a website that connects independent artists with interested clients. Around August 30, a message appeared on Artists&Clients attributed to the ransomware group LunaLock. "We have breached the website Artists&Clients to steal and encrypt all its data," the message on the site said, according to screenshots taken before the site went down on Tuesday. "If you are a user of this website, you are urged to contact the owners and insist that they pay our ransom. If this ransom is not paid, we will release all data publicly on this Tor site, including source code and personal data of users. Additionally, we will submit all artwork to AI companies to be added to training datasets."

LunaLock promised to delete the stolen data and allow users to decrypt their files if the site's owner paid a $50,000 ransom. "Payment is accepted in either Bitcoin or Monero," the notice put on the site by the hackers said. The ransom note included a countdown timer that gave the site's owners several days to cough up the cash. "If you do not pay, all files will be leaked, including personal user data. This may cause you to be subject to fines and penalties under the GDPR and other laws."

Android

What Every Argument About Sideloading Gets Wrong (hugotunius.se) 89

Developer Hugo Tunius, writing in a blog post: Sideloading has been a hot topic for the last decade. Most recently, Google has announced further restrictions on the practice in Android. Many hundreds of comment threads have discussed these changes over the years. One point in particular is always made: "I should be able to run whatever code I want on hardware I own." I agree entirely with this point, but within the context of this discussion it's moot.

When Google restricts your ability to install certain applications they aren't constraining what you can do with the hardware you own, they are constraining what you can do using the software they provide with said hardware. It's through this control of the operating system that Google is exerting control, not at the hardware layer. You often don't have full access to the hardware either and building new operating systems to run on mobile hardware is impossible, or at least much harder than it should be. This is a separate, and I think more fruitful, point to make. Apple is a better case study than Google here. Apple's success with iOS partially derives from the tight integration of hardware and software. An iPhone without iOS is a very different product to what we understand an iPhone to be. Forcing Apple to change core tenets of iOS by legislative means would undermine what made the iPhone successful.

Microsoft

Azure Budget Alerts Go Berserk After Microsoft Account Migration Misfire (theregister.com) 13

An anonymous reader shares a report: Some Microsoft Azure customers have had a worrying few days after a problematic account migration caused forecast costs for the cloud service to skyrocket, triggering budget alerts.

An alarmed Register reader got in touch after receiving warnings from Azure's automated systems that they had significantly exceeded their budgets, and a glance at Microsoft's support forums indicates their issue was not isolated.

The problem was that costs had suddenly ramped up. One user, with a budget threshold of $85, received an automated alert indicating that their spend was forecast to reach $1,027. Another said: "We're actively seeing the same issue, costs have blown up by a crazy amount. No official notice or announcement from Microsoft either, it's appalling."

Microsoft

Blizzard's 'Diablo' Devs Unionize. There's Now 3,500 Unionized Microsoft Workers (aftermath.site) 68

PC Gamer reports: The Diablo team is the next in line to unionize at Blizzard. Over 450 developers across multiple disciplines have voted to form a union under the Communications Workers of America (CWA), and they're now the fourth major Blizzard team to do so... A wave of unions have formed at Blizzard in the last year, including the World of Warcraft, Overwatch, and Story and Franchise Development teams. Elsewhere at Microsoft, Bethesda, ZeniMax Online Studios and ZeniMax QA testers have also unionized...

The CWA says over 3,500 Microsoft workers have now organized to fight for fair compensation, job security, and improved working conditions.

CWA is America's largest communications and media labor union, and in a statement, local 9510 president Jason Justice called the successful vote "part of a much larger story about turning the tide in an industry that has long overlooked its labor. Entertainment workers across film, television, music, and now video games are standing together to have a seat at the table. The strength of our movement comes from that solidarity."

And CWA local 6215 president Ron Swaggerty said "Each new organizing effort adds momentum to the nationwide movement for video game worker power."

"What began as a trickle has turned into an avalanche," writes the gaming news site Aftermath, calling the latest vote "a direct result of the union neutrality deal Microsoft struck with CWA in 2022 when it was facing regulatory scrutiny over its $68.7 billion purchase of Activision Blizzard." We've come a long way since small units at Raven and Blizzard Albany fended off Activision Blizzard's pre-acquisition attempts at union busting in 2022 and 2023, and not a moment too soon: Microsoft's penchant for mass layoffs has cut some teams to the bone and left others warily counting down the days until their heads land on the chopping block. This new union, workers hope, will act as a bulwark...

[B]ased on preliminary conversations with prospective members, they can already hazard a few guesses as to what they'll be arm-wrestling management over at the bargaining table: pay equity, AI, crediting, and remote work.

Security

WhatsApp Fixes 'Zero-Click' Bug Used To Hack Apple Users With Spyware (techcrunch.com) 13

An anonymous reader quotes a report from TechCrunch: WhatsApp said on Friday that it fixed a security bug in its iOS and Mac apps that was being used to stealthily hack into the Apple devices of "specific targeted users." The Meta-owned messaging app giant said in its security advisory that it fixed the vulnerability, known officially as CVE-2025-55177, which was used alongside a separate flaw found in iOS and Macs, which Apple fixed last week and tracks as CVE-2025-43300.

Apple said at the time that the flaw was used in an "extremely sophisticated attack against specific targeted individuals." Now we know that dozens of WhatsApp users were targeted with this pair of flaws. Donncha O Cearbhaill, who heads Amnesty International's Security Lab, described the attack in a post on X as an "advanced spyware campaign" that targeted users over the past 90 days, or since the end of May. O Cearbhaill described the pair of bugs as a "zero-click" attack, meaning it does not require any interaction from the victim, such as clicking a link, to compromise their device.

The two bugs chained together allow an attacker to deliver a malicious exploit through WhatsApp that's capable of stealing data from the user's Apple device. Per O Cearbhaill, who posted a copy of the threat notification that WhatsApp sent to affected users, the attack was able to "compromise your device and the data it contains, including messages." It's not immediately clear who, or which spyware vendor, is behind the attacks. When reached by TechCrunch, Meta spokesperson Margarita Franklin confirmed the company detected and patched the flaw "a few weeks ago" and that the company sent "less than 200" notifications to affected WhatsApp users. The spokesperson did not say, when asked, if WhatsApp has evidence to attribute the hacks to a specific attacker or surveillance vendor.

Microsoft

Microsoft Says Recent Windows Update Didn't Kill Your SSD (bleepingcomputer.com) 28

Microsoft has found no link between the August 2025 KB5063878 security update and customer reports of failure and data corruption issues affecting solid-state drives (SSDs) and hard disk drives (HDDs). From a report: Redmond first told BleepingComputer last week that it is aware of users reporting SSD failures after installing this month's Windows 11 24H2 security update. In a subsequent service alert seen by BleepingComputer, Redmond said that it was unable to reproduce the issue on up-to-date systems and began collecting user reports with additional details from those affected.

"After thorough investigation, Microsoft has found no connection between the August 2025 Windows security update and the types of hard drive failures reported on social media," Microsoft said in an update to the service alert this week. "As always, we continue to monitor feedback after the release of every Windows update, and will investigate any future reports."

Australia

Bank Apologizes For Firing Staff With Accidental Email (bbc.com) 22

One of Australia's largest banks has apologized to staff who found out they had been fired through an automated email asking them to hand back their laptops. From a report: ANZ's retail banking executive Bruce Rush said it was "not our intention to share such sensitive news with you in this way" as the firm cuts jobs in its retail banking business. The bank said the emails were sent to some staff ahead of schedule in error. It said it has since stopped sending the emails and that staff have been spoken to personally.

The Financial Sector Union said the email caused "panic and distress" and was a result of the company forcing through a "chaotic pace of change." The union's president Wendy Streets said it had not been consulted on the changes the bank was making, adding that "ANZ must do better." "Speed and cost-cutting cannot come at the expense of dignity and respect for workers," Ms Streets said, describing the "botched" episode as "disgusting." Mr Rush wrote in an email to staff: "Unfortunately, these emails indicate an exit date for some of our colleagues before we've been able to share their outcome with them."

Security

TransUnion Says Hackers Stole 4.4 Million Customers' Personal Information (techcrunch.com) 70

An anonymous reader quotes a report from TechCrunch: Credit reporting giant TransUnion has disclosed a data breach affecting more than 4.4 million customers' personal information. In a filing with Maine's attorney general's office on Thursday, TransUnion attributed the July 28 breach to unauthorized access of a third-party application storing customers' personal data for its U.S. consumer support operations.

TransUnion claimed "no credit information was accessed," but provided no immediate evidence for its claim. The data breach notice did not specify what specific types of personal data were stolen. In a separate data breach disclosure filed later on Thursday with Texas' attorney general's office, TransUnion confirmed that the stolen personal information includes customers' names, dates of birth, and Social Security numbers. [...] It's not clear who is behind the breach at TransUnion, or if the hackers made any demands to the company.

The Internet

Typepad is Shutting Down 11

Typepad, which launched in 2003 to make it easier for the masses to start their blogging journey, is shutting down. From a blog post: We have made the difficult decision to discontinue Typepad, effective September 30, 2025. After September 30, 2025, access to Typepad -- including account management, blogs, and all associated content -- will no longer be available. Your account and all related services will be permanently deactivated. Please note that after this date, you will no longer be able to access or export any blog content.
IT

German Banks Halted 10 Billion Euros in PayPal Payments on Fraud Concerns, Says Newspaper (reuters.com) 1

An anonymous reader shares a report: German banks blocked PayPal payments totalling more than 10 billion euros ($11.7 billion) over fraud concerns, the Sueddeutsche Zeitung newspaper reported on Wednesday, without specifying its sources. The payments were halted on Monday after lenders flagged millions of suspicious direct debits from PayPal that appeared last week, the newspaper said. Asked to comment on the report, a PayPal spokesperson said a temporary service interruption had affected "certain transactions from our banking partners and potentially their customers", but that the issue had now been resolved.
Security

Silver State Goes Dark as Cyberattack Knocks Nevada Websites Offline (theregister.com) 19

Nevada has been crippled by a cyberattack that began on August 24, taking down state websites, intermittently disabling phone lines, and forcing offices like the DMV to close. The Register reports: The Office of Governor Joseph Lombardo announced the attack via social media on Monday, saying that a "network security incident" took hold in the early hours of August 24. Official state websites remain unavailable, and Lombardo's office warned that phone lines will be intermittently down, although emergency services lines remain operational. State offices are also closed until further notice, including Department of Motor Vehicles (DMV) buildings. The state said any missed appointments will be honored on a walk-in basis.

"The Office of the Governor and Governor's Technology Office (GTO) are working continuously with state, local, tribal, and federal partners to restore services safely," the announcement read. "GTO is using temporary routing and operational workarounds to maintain public access where it is feasible. Additionally, GTO is validating systems before returning them to normal operation and sharing updates as needed." Local media outlets are reporting that, further to the original announcement, state offices will remain closed on Tuesday after officials previously expected them to reopen.
The state's new cybersecurity office says there is currently no evidence to suggest that any Nevadans' personal information was compromised during the attack.
The Military

Defense Department Reportedly Relies On Utility Written by Russian Dev (theregister.com) 58

A widely used Node.js utility called fast-glob, relied on by thousands of projectsâ"including over 30 U.S. Department of Defense systems -- is maintained solely by a Russian developer linked to Yandex. While there's no evidence of malicious activity, cybersecurity experts warn that the lack of oversight in such critical open-source projects leaves them vulnerable to potential exploitation by state-backed actors. The Register reports: US cybersecurity firm Hunted Labs reported the revelations on Wednesday. The utility in question is fast-glob, which is used to find files and folders that match specific patterns. Its maintainer goes by the handle "mrmlnc", and the Github profile associated with that handle identifies its owner as a Yandex developer named Denis Malinochkin living in a suburb of Moscow. A website associated with that handle also identifies its owner as the same person, as Hunted Labs pointed out.

Hunted Labs told us that it didn't speak to Malinochkin prior to publication of its report today, and that it found no ties between him and any threat actor. According to Hunted Labs, fast-glob is downloaded more than 79 million times a week and is currently used by more than 5,000 public projects in addition to the DoD systems and Node.js container images that include it. That's not to mention private projects that might use it, meaning that the actual number of at-risk projects could be far greater.

While fast-glob has no known CVEs, the utility has deep access to systems that use it, potentially giving Russia a number of attack vectors to exploit. Fast-glob could attack filesystems directly to expose and steal info, launch a DoS or glob-injection attack, include a kill switch to stop downstream software from functioning properly, or inject additional malware, a list Hunted Labs said is hardly exhaustive. [...] Hunted Labs cofounder Haden Smith told The Register that the ties are cause for concern. "Every piece of code written by Russians isn't automatically suspect, but popular packages with no external oversight are ripe for the taking by state or state-backed actors looking to further their aims," Smith told us in an email. "As a whole, the open source community should be paying more attention to this risk and mitigating it." [...]

Hunted Labs said that the simplest solution for the thousands of projects using fast-glob would be for Malinochkin to add additional maintainers and enhance project oversight, as the only other alternative would be for anyone using it to find a suitable replacement. "Open source software doesn't need a CVE to be dangerous," Hunted Labs said of the matter. "It only needs access, obscurity, and complacency," something we've noted before is an ongoing problem for open source projects. This serves as another powerful reminder that knowing who writes your code is just as critical as understanding what the code does," Hunted Labs concluded.

Security

FBI Warns Chinese Hacking Campaign Has Expanded, Reaching 80 Countries (msn.com) 19

The FBI and other law enforcement and intelligence agencies around the world warned Wednesday that a Chinese-government hacking campaign that previously penetrated nine U.S. telecommunications companies has expanded into other industries and regions, striking at least 200 American organizations and 80 countries. From a report: The joint advisory was issued with the close allies in the Five Eyes English-language intelligence-sharing arrangement and also agencies from Finland, Netherlands, Poland and the Czech Republic, an unusually broad array meant to demonstrate global resolve against what intelligence officials said is a pernicious campaign that exceeds accepted norms for snooping.

"The expectation of privacy here was violated, not just in the U.S., but globally," FBI Assistant Director Brett Leatherman, who heads the bureau's cyber division, told The Washington Post in an interview. Chinese hackers won deep access to major communication carriers in the U.S. and elsewhere, then extracted call records and some law enforcement directives, which allowed them to build out a map of who was calling whom and whom the U.S. suspected of spying, Leatherman said. Prominent politicians in both major U.S. parties were among the ultimate victims.

IT

Nothing Caught Using Stock Photos as Phone 3 Camera Samples 26

Phonemaker Nothing used professional stock photos to demonstrate its Phone 3's camera capabilities on retail demo units, according to The Verge. Five images the company presented as community-captured samples were licensed photographs from the Stills marketplace, taken with other cameras in 2023.

The Verge verified EXIF data confirming one image predated the Phone 3's release. Co-founder Akis Evangelidis acknowledged the photos were placeholders intended for pre-production testing that weren't replaced before deployment to stores.
Security

Farmers Insurance Data Breach Impacts 1.1 Million People After Salesforce Attack 10

Farmers Insurance disclosed a breach affecting 1.1 million customers after attackers exploited Salesforce in a widespread campaign involving ShinyHunters and allied groups. According to BleepingComputer, the hackers stole personal data such as names, birth dates, driver's license numbers, and partial Social Security numbers. From the report: The company disclosed the data breach in an advisory on its website, saying that its database at a third-party vendor was breached on May 29, 2025. "On May 30, 2025, one of Farmers' third-party vendors alerted Farmers to suspicious activity involving an unauthorized actor accessing one of the vendor's databases containing Farmers customer information (the "Incident")," reads the data breach notification (PDF) on its website. "The third-party vendor had monitoring tools in place, which allowed the vendor to quickly detect the activity and take appropriate containment measures, including blocking the unauthorized actor. After learning of the activity, Farmers immediately launched a comprehensive investigation to determine the nature and scope of the Incident and notified appropriate law enforcement authorities."

The company says that its investigation determined that customers' names, addresses, dates of birth, driver's license numbers, and/or last four digits of Social Security numbers were stolen during the breach. Farmers began sending data breach notifications to impacted individuals on August 22, with a sample notification [1, 2] shared with the Maine Attorney General's Office, stating that a combined total of 1,111,386 customers were impacted. While Farmers did not disclose the name of the third-party vendor, BleepingComputer has learned that the data was stolen in the widespread Salesforce data theft attacks that have impacted numerous organizations this year.
Further reading: Google Suffers Data Breach in Ongoing Salesforce Data Theft Attacks
United States

FTC Warns Tech Giants Not To Bow To Foreign Pressure on Encryption (bleepingcomputer.com) 56

The Federal Trade Commission is warning major U.S. tech companies against yielding to foreign government demands that weaken data security, compromise encryption, or impose censorship on their platforms. From a report: FTC Chairman Andrew N. Ferguson signed the letter sent to large American companies like Akamai, Alphabet (Google), Amazon, Apple, Cloudflare, Discord, GoDaddy, Meta, Microsoft, Signal, Snap, Slack, and X (Twitter). Ferguson stresses that weakening data security at the request of foreign governments, especially if they don't alert users about it, would constitute a violation of the FTC Act and expose companies to legal consequences.

Ferguson's letter specifically cites foreign laws such as the EU's Digital Services Act and the UK's Online Safety and Investigatory Powers Acts. Earlier this year, Apple was forced to remove support for iCloud end-to-end encryption in the United Kingdom rather than give in to demands to add a backdoor for the government to access encrypted accounts. The UK's demand would have weakened Apple's encryption globally, but it was retracted last week following U.S. diplomatic pressure.

Security

Perplexity's AI Browser Comet Vulnerable To Prompt Injection Attacks That Hijack User Accounts 14

Security researchers have uncovered critical vulnerabilities in Perplexity's Comet browser that enable attackers to hijack user accounts and execute malicious code through the browser's AI summarization features. The flaws, discovered independently by Brave and Guardio Labs, exploit indirect prompt injection attacks that bypass traditional web security mechanisms when users request webpage summaries.

Brave demonstrated account takeover through a malicious Reddit post that compromised Perplexity accounts when summarized. The vulnerability allows attackers to embed commands in webpage content that the browser's large language model executes with full user privileges across authenticated sessions.

Guardio's testing found the browser would complete phishing transactions and prompt users for banking credentials without warning indicators. The paid browser, available to Perplexity Pro and Enterprise Pro subscribers since July, processes untrusted webpage content without distinguishing between legitimate instructions and attacker payloads.
IT

New Book Argues Hybrid Schedules 'Don't Work', Return-to-Office Brings Motivation and Learning (yahoo.com) 209

Yahoo Finance interviews Peter Cappelli, a Wharton professor of management, on "the business case for employers pushing for workers to get back to the office." (Cappelli has co-written a new book with workplace strategist Ranya Nehmeh titled In Praise of the Office: The Limits to Hybrid and Remote Work ...) Yahoo Finance: What's wrong with a hybrid work arrangement?

Cappelli: People just don't come in. That's maybe the single biggest factor. There is a growing awareness that people are really never there on their anchor days. If you want that for your company, you have to manage that attendance...

Yahoo Finance: What's the compelling advantage of in-person work?

Cappelli: There's value in human interaction, what we learn from each other, the cooperation that we can get in solving problems, and the motivation and commitment that comes from being around other people... When you first began your career, imagine what it would've been like if no one was in the office. You'd be completely lost.

If you think about how we learn about office work, we learn by watching. You learn what the values of the organization are. You learn it from the conversations in the office. You can see how the boss reacts to different requests and different problems. As you advance, you've got your ear to the ground, and you've got the opportunity to raise your hand and pitch in and have some influence. You can catch the boss between meetings and pass along a little tidbit of information, and you develop relationships with people where you can solve problems... Those are the kind of things that we miss when we move to remote — in addition to the general fact that people are energized by working with people.

With remote work, people also spend more time in meetings that are worthless. A lot of those things could be fixed, but the problem is they're not.

He argues remote work isn't as widespread as it seems. ("In Europe, for example, where employees have always had more power, I figured remote work would stay. It hasn't. Most everybody's gone back to the office.") Even in the U.S., 70% of employers are in-office, all the time. ("[M]ost employers are small. Remote work and hybrid work, in particular, is largely a big city, big company phenomenon... It's only white-collar jobs.")

And fewer jobs offered are being offered with remote-working options, he believes, now that the labor market has softened. "CEOs are now thinking we're losing something, and the employee resistance to return to the office has weakened.... The longer you wait, the harder it is to ever get people to come back without a big fight. " Cappelli: Right now, people might be saying, 'I will quit if I have to go back to the office,' but it turns out they don't mean it. The reason, of course, is it's one thing to say that you will quit; it's another to actually walk away from a paycheck...

If you opt for remote or hybrid, good outcomes don't happen by themselves. You can make it work, but it requires more time and effort for management, more rules, more practices, more leadership.

Slashdot Top Deals